Authentication Flow

Authentication Flow

User visits login page
      ↓
User submits email/username + password
      ↓
Controller validates request
      ↓
User record is looked up
      ↓
Password is verified
      ↓
Valid ------------------→ Session is created
Invalid ----------------→ Login fails
      ↓
Authenticated user can access protected pages
      ↓
Logout removes session access

What Authentication Means

Authentication is the process of verifying that a user really is who they claim to be. In this framework, that usually happens when the user submits a login form and the application checks the submitted credentials against a stored user record.

Once the credentials are verified, the framework stores the user’s identity in the session. From that point forward, the application treats the user as logged in until logout or session end.

The Big Idea

Authentication is the gate that turns a guest request into an authenticated session. The framework checks credentials, sets session data, and then uses that session to decide whether the user may access protected areas of the application.

• Guests may view public pages
• Only authenticated users may reach protected pages
• Logout removes session-based access

Step-by-Step Flow

1. The user opens the login page

A guest visits a route such as /auth/login. The controller renders the login form where the user can enter credentials.

2. The user submits credentials

The form sends the submitted email or username and password to the authentication controller. This is usually a POST request.

3. The controller validates the request

Before authenticating the user, the controller checks the request data. This may include trimming input, verifying required fields, and validating the CSRF token.

4. The application looks up the user record

The controller or model finds the user record based on the submitted email or username.

$user = User::findByEmail($email);

5. The password is verified

If a matching user is found, the submitted password is checked against the stored password hash.

if ($user && password_verify($password, $user['password'])) { Auth::login($user); }

6. A session is created

If the credentials are valid, the framework stores the user identity in the session. This marks the user as authenticated.

$_SESSION['user_id'] = (int) $user['id'];

7. Protected pages become available

Once the session is set, the framework can allow access to routes that require login, such as dashboard pages, post creation, editing screens, or account areas.

8. The framework checks authentication on later requests

Protected controllers or actions can use an authentication check to decide whether the user may continue or should be redirected to the login page.

if (!Auth::check()) {
    $this->redirect('/auth/login');
}

9. Logout removes access

When the user logs out, the framework removes the session identity and returns the user to guest status.

unset($_SESSION['user_id']);

Example Login Flow

GET /auth/login
   ↓
Render login form
   ↓
POST /auth/login
   ↓
Validate CSRF + submitted credentials
   ↓
Find user record
   ↓
Verify password
   ↓
Set session user_id
   ↓
Redirect to dashboard or intended page

Example Protected Route Flow

User requests /posts/create
   ↓
Auth::check()
   ↓
Yes -------------------→ Allow access
No --------------------→ Redirect to /auth/login

Authentication Outcomes

Responsibility in the Framework

View        = displays the login form
Controller  = validates the request and coordinates login
Model       = retrieves the user record
Session     = stores authenticated user identity
Auth helper = checks login state across the app

Why This Matters

Authentication allows the application to separate public access from user-only functionality. It also creates the foundation for broader features such as account pages, dashboard access, post ownership, and role-based permissions.

• Protects restricted pages
• Associates actions with the correct user
• Supports session-based access control
• Prepares the framework for future authorization features

Snapshot Summary